EP2311235A2 - Method for access control within a network comprising a pep and a pdp - Google Patents

Method for access control within a network comprising a pep and a pdp

Info

Publication number
EP2311235A2
EP2311235A2 EP10700699A EP10700699A EP2311235A2 EP 2311235 A2 EP2311235 A2 EP 2311235A2 EP 10700699 A EP10700699 A EP 10700699A EP 10700699 A EP10700699 A EP 10700699A EP 2311235 A2 EP2311235 A2 EP 2311235A2
Authority
EP
European Patent Office
Prior art keywords
obligations
obligation
pdp
pep
language
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP10700699A
Other languages
German (de)
English (en)
French (fr)
Inventor
Mario Lischka
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Europe Ltd
Original Assignee
NEC Europe Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Europe Ltd filed Critical NEC Europe Ltd
Priority to EP10700699A priority Critical patent/EP2311235A2/en
Publication of EP2311235A2 publication Critical patent/EP2311235A2/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/70Admission control; Resource allocation
    • H04L47/78Architectures of resource allocation
    • H04L47/782Hierarchical allocation of resources, e.g. involving a hierarchy of local and centralised entities

Definitions

  • the present invention relates to a method for access control within a network, especially for control of access of a subject to a resource of the network, wherein a PEP (Policy Enforcement Point) sends an access request for evaluation to a PDP (Policy Decision Point) and wherein the PDP may send a reply which may contain at least one obligation to the PEP. Further, the present invention relates to a network, wherein access control is provided, especially control of access of a subject to a resource of the network, wherein a PEP (Policy Enforcement Point) sends an access request for evaluation to a PDP (Policy Decision Point) and wherein the PDP may send a reply which may contain at least one obligation to the PEP.
  • a PEP Policy Enforcement Point
  • OASIS Organization for the Advancement of Structured Information Standards
  • XACML OASIS extensible Access Control Markup Language
  • XACML OASIS extensible Access Control Markup Language
  • the policy language is flexible enough to cover approaches like Core and Hierarchical Role Based Access Control, the handling of obligation is quit neglected. Although this is quite an important issue especially to support privacy and advanced tracing of data flow. As an example the obligation could enforce the accessing unit to use a certain encryption for data persistency issues, or ensure that a specific action is performed within a given time frame. This is obtainable from Q.
  • the aforementioned object is accomplished by a method comprising the features of claim 1 and a network comprising the features of claim 27.
  • the method is characterized in that for specifying obligations a meta-language is used.
  • the network is characterized in that for specifying obligations a meta-language is defined.
  • the meta-language could be a generic language.
  • a generic language could allow for a generic description of obligations even in a distributed environment.
  • a detection and/or specification of possible conflicts between the obligations could be provided on the basis of the specification of the obligations and/or of definitions based on the meta-language.
  • Such a detection and/or specification of possible conflicts between the obligations could be provided in a general way or depending on the assignment of at least one matching value to at least one parameter of each obligation or for two obligations. In other words, such a detection and/or specification could be provided depending on the matching assignment of at least one parameter for two obligations.
  • a negotiation with regard to a respective support of the obligations by PEP and PDP could be provided on the basis of the specification and/or of definitions based on the meta-language.
  • the present invention can specify a meta-language to specify obligations and potential conflicts between them as well as a method to exchange this specification between the PDP and PEP and negotiate the support of the obligations specified.
  • the description of the supported obligation or obligations and their potential conflicts in a meta-language will be one major aspect of preferred embodiments of this invention.
  • the present invention describes a method using the specifications based on this language to specify the capabilities of PDP and PEP.
  • incompatibility between the PEP and PDP could be detected beforehand.
  • the negotiation phase allows the PDP and PEP to request the compatibility of their required and supported obligations, respectively. In case of some mismatches resolution methods could be applied.
  • this negotiation process could be repeated at run-time to change the set of obligations used between PDP and PEP.
  • the negotiation process could be skipped and a direct/manual exchange of the obligation specification could be done.
  • this specification is not fully supported by the PEP the deployment has failed. Otherwise, both PDP and PEP could refer to supported obligation specification.
  • the specification or specifications of the obligations are negotiated during the deployment of the PEP and PDP.
  • the negotiation could be repeated at run-time. During run-time the detection of conflicts between the specifications is also possible.
  • the negotiation between the PDP and PEP could comprise three types of messages, termed request message, reply message and resolve message. Based on said three types of messages an effective negotiation is possible.
  • the negotiation could be initiated by the PDP or the PEP. Both cases are possible and could be implemented by an operator.
  • meta-language or specification of obligations could be realized as an extension of or an integration in the XACML standard.
  • minor amendments and/or additions to an existing standard are necessary for realizing the present invention.
  • an obligation could contain a unique identifier.
  • the unique identifier is an URI and a set of parameters whose data types can be specified through URIs.
  • URIs a very simple handling of obligations
  • a policy schema could be independent from already existing or previous definitions or schemata, if a dependency from such already existing or previous definitions or schemata is not requested.
  • Such a common obligation specification could be independent from the policy schema, for providing a well-defined and clear structure of components.
  • the PEP and/or the PDP could check that a response from the PDP contains only an obligation or obligations used in the common obligation specification. Thus, only negotiated obligations could be used.
  • a relationship model of the specified obligations could be generated preferably by the PEP and/or the PDP. If a relationship between obligations exists, the possible conflict could be either resolved or escalated for further handling.
  • the PEP and the PDP could be independent from each other.
  • the PEP and the PDP could be provided in a distributed environment.
  • the present invention is particularly effective with regard to handling of obligations.
  • the obligation specification and/or definition and/or negotiation could be dynamic.
  • the present invention is providing a method for specifying arbitrary obligations including their parameters, and potential conflicts between them, either in a general way or depending on the dynamic values assigned, usable to detect incompatibilities during deployment as well as at run-time with additional conflict detection at run-time. Further, conflict detection and resolution based on obligation relations as well as negotiation of supported obligations of the PEP and required obligation of the PDP before regular operation are possible.
  • the present invention is providing a distributed and independent PEP and PDP implementation with support of arbitrary obligations. Further, detection of obligation incompatibilities between PEP and PDP during deployment and detection of conflicts between combined obligations at run-time are possible.
  • Fig. 1 is illustrating a structure of an extension of an existing standard according to the invention.
  • Fig. 2 is illustrating an overview of the usage of the inventive method.
  • Fig. 1 is obtainable the structure of an extension of the existing XACML standard.
  • a generic meta-language is presented according to the invention.
  • the policy schema is shown as an extension of a current policy schema within Fig. 1.
  • the policy specification is based on the policy schema and is defining the identifier of the respective obligation or obligations which can be processed.
  • the obligation schema is comprising the structure of defining an obligation.
  • the obligation specification is comprising the type of obligation, e.g. obligation of sending a notification to a given address.
  • the policy specification is based on the policy schema and refers to the obligation specification.
  • the obligation specification is based on the obligation schema, see Fig. 1.
  • Fig. 2 is illustrating an overview of an example of usage of the specification of obligations.
  • the negotiation process could be initiated by the PDP or the PEP.
  • the initiator first sends a list with the request obligations.
  • the receiver analyses this list and indicates whether it either supports this obligation or does not support this obligation. For the later case it could indicate a potential solution, either by indicating that the parameter list of an obligation does not match, or the types of a parameter are different on a first glance. If no solutions are available the negotiation could be terminated with a failure.
  • the initiator could react on proposed solution by either accepting fixed values - including empty ones - for the parameters, or accept a casting of the values to a different type. Additionally, it could withdraw an obligation or ask the other side to ignore it, in case it shows up. Finally, the negotiation process could be terminated with a failure at this point as well.
  • This negotiation process could be repeated at run-time to change the set of obligations used between PDP and PEP. In special cases the negotiation process could be skipped and direct/manual exchange of the obligation specification could be done. In case this specification is not fully supported by the PEP the deployment has failed. Otherwise both PDP and PEP could refer to supported obligation specification.
  • the PDP ensures during the loading of policy specification(s) that it only contains those defined in the obligation specification. Independently the PEP could check each access reply whether it contains only those obligation specified. The usage of incompatible obligation specification could be checked based on the supported obligation specification. Independently PEP and PDP could generate a relationship model of all obligation contained in the obligation specification. Various techniques could be used for efficient implementation of this relationship model including but not limited to graphs, linked lists, or hash maps. Based on a conflict a unidirectional relationship - e.g. inclusion - is created and the relevant parameters and the resulting conflicts are given. For a given reply the contained obligation could be checked for a relationship either in the general case or based on the concrete parameter values. If a relationship exists the resulting conflict could be either resolved or escalated for further handling.
  • the invention is providing a generic description of obligation, especially within a distributed environment.
  • Required and supported obligations can be exchanged between PDP and PEP to avoid unknown obligations at run-time. It is possible to identify different categories of relations between obligations. Conflicting obligations can be detected in ongoing access requests.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
EP10700699A 2009-01-09 2010-01-11 Method for access control within a network comprising a pep and a pdp Withdrawn EP2311235A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP10700699A EP2311235A2 (en) 2009-01-09 2010-01-11 Method for access control within a network comprising a pep and a pdp

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
EP09000215 2009-01-09
PCT/EP2010/000086 WO2010079144A2 (en) 2009-01-09 2010-01-11 A method for access control within a network and a network
EP10700699A EP2311235A2 (en) 2009-01-09 2010-01-11 Method for access control within a network comprising a pep and a pdp

Publications (1)

Publication Number Publication Date
EP2311235A2 true EP2311235A2 (en) 2011-04-20

Family

ID=42316899

Family Applications (1)

Application Number Title Priority Date Filing Date
EP10700699A Withdrawn EP2311235A2 (en) 2009-01-09 2010-01-11 Method for access control within a network comprising a pep and a pdp

Country Status (5)

Country Link
US (1) US20110264816A1 (zh)
EP (1) EP2311235A2 (zh)
JP (1) JP2012503455A (zh)
CN (1) CN102273173A (zh)
WO (1) WO2010079144A2 (zh)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9256757B2 (en) * 2010-06-17 2016-02-09 Sap Se Prefetch of attributes in evaluating access control requests
CN102006297B (zh) * 2010-11-23 2013-04-10 中国科学院软件研究所 一种基于两级策略决策的访问控制方法及其系统
US9332132B1 (en) * 2014-11-26 2016-05-03 Tsc Acquisition Corporation System and method for reclaiming obligated network resources
CN106656937A (zh) * 2015-11-03 2017-05-10 电信科学技术研究院 一种访问控制方法和访问令牌颁发方法、设备
US20170230419A1 (en) * 2016-02-08 2017-08-10 Hytrust, Inc. Harmonized governance system for heterogeneous agile information technology environments

Family Cites Families (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3636948B2 (ja) * 1999-10-05 2005-04-06 株式会社日立製作所 ネットワークシステム
US6970930B1 (en) * 1999-11-05 2005-11-29 Mci, Inc. Method and system of providing differentiated services
CN100384141C (zh) * 2002-11-01 2008-04-23 艾利森电话股份有限公司 分布网络中基于策略控制的方法和系统
JP4251008B2 (ja) * 2003-04-30 2009-04-08 日本電気株式会社 ネットワーク間接続装置の自動設定システム及びそれに用いる自動設定方法
WO2005009003A1 (en) * 2003-07-11 2005-01-27 Computer Associates Think, Inc. Distributed policy enforcement using a distributed directory
FR2857807B1 (fr) * 2003-07-18 2005-12-02 Cit Alcatel Procede de transaction pour un approvisionnement de regles dans un reseau gere a base de regles
US8046763B1 (en) * 2004-02-20 2011-10-25 Oracle America, Inc. Regulation of resource requests to control rate of resource consumption
WO2006108436A1 (en) * 2005-04-08 2006-10-19 Telefonaktiebolaget Lm Ericsson (Publ.) Policy-based management in communications network
JP4729365B2 (ja) * 2005-08-12 2011-07-20 株式会社野村総合研究所 アクセス制御システム、認証サーバ、アクセス制御方法およびアクセス制御プログラム
US9407662B2 (en) * 2005-12-29 2016-08-02 Nextlabs, Inc. Analyzing activity data of an information management system
US20100131650A1 (en) * 2008-11-26 2010-05-27 Chou Lan Pok Methods and Apparatus to Support Network Policy Managers
US8228812B2 (en) * 2008-12-12 2012-07-24 Electronics And Telecommunications Research Institute Method and system for providing multicast service in next-generation network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See references of WO2010079144A2 *

Also Published As

Publication number Publication date
JP2012503455A (ja) 2012-02-02
WO2010079144A2 (en) 2010-07-15
US20110264816A1 (en) 2011-10-27
WO2010079144A3 (en) 2010-10-07
CN102273173A (zh) 2011-12-07

Similar Documents

Publication Publication Date Title
US9692792B2 (en) Method and system for managing security policies
Uszok et al. Kaos: A policy and domain services framework for grid computing and semantic web services
US7051107B2 (en) Distributed environment type computer system able to achieve high speed consecutive message communications by service layer
JP5689500B2 (ja) 権限管理に基づく端末装置管理のための方法
CN102447585B (zh) 将网络配置协议响应报文转换为命令行的方法及装置
US20110264816A1 (en) method for access control within a network and a network
US20090063584A1 (en) Versioning management
US8365261B2 (en) Implementing organization-specific policy during establishment of an autonomous connection between computer resources
KR20190061060A (ko) 프로파일 기반 콘텐츠 및 서비스들
US11500690B2 (en) Dynamic load balancing in network centric process control systems
WO2008061113A2 (en) System and method for utilizing xml documents to transfer programmatic requests in a service oriented architecture
US20110010754A1 (en) Access control system, access control method, and recording medium
CN111739190B (zh) 车辆诊断文件加密方法、装置、设备及存储介质
Agrawal et al. Policy technologies for self-managing systems
CN111198678A (zh) 一种生成GraphQL前端操作接口的方法及装置
KR20090055890A (ko) 전파식별 응용 인터페이스 제공방법 및 시스템
CN105740656A (zh) 数据权限管理方法及装置
US9819732B2 (en) Methods for centralized management API service across disparate storage platforms and devices thereof
Barrett et al. A model based approach for policy tool generation and policy analysis
KR101064201B1 (ko) 웹 데이터의 권한 관리 장치, 웹 데이터의 권한 관리 방법을 컴퓨터에서 실행시키기 위한 기록매체, 그리고 권한 관리 정보 제공 장치 및 방법
Kotur et al. Utilization of design patterns in AUTOSAR Adaptive standard
Koshutanski et al. Interoperable semantic access control for highly dynamic coalitions
US10171595B2 (en) Method, apparatus, and software for identifying a set of options for the provision of a service
CN112118247B (zh) 一种车联网数据加密方法及系统
CN117812163A (zh) 多协议数据的兼容处理方法、装置、设备及存储介质

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

17P Request for examination filed

Effective date: 20110304

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO SE SI SK SM TR

AX Request for extension of the european patent

Extension state: AL BA RS

17Q First examination report despatched

Effective date: 20110707

DAX Request for extension of the european patent (deleted)
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION IS DEEMED TO BE WITHDRAWN

18D Application deemed to be withdrawn

Effective date: 20140410